Unauthorized response to invite on registered trunk

Hello
I have two asterisk with a sip trunk, with dynamic host. Client asterisk registers via a register. Later, it places calls through invites, with a from really showing the calling id, and not the account number.

That works well, but randomly, the server seems to forget about the register, and replies to the invite with an UNAUTHORIZED, which leads to a 403 Forbidden. I’ve added a qualify, no luck, neither adding insecure=invite

Any ideas as to what is happening ?

Here are the sip traces

U 2017/03/08 10:14:51.423533 ip.client.x.y:5062 -> ip.server.w.z:5060
REGISTER sip:fqdn.server.com SIP/2.0…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK194c3e3b…Max-Forwards: 70…From: sip:123456789@fqdn.server.com;tag=as1acd
03e5…To: sip:123456789@fqdn.server.com…Call-ID: 4906f33740ef98de1a879f131f4c303c@ip.client.x.y…CSeq: 1752 REGISTER…Supported: replaces, timer…User-Agent: Asteri
sk PBX…Authorization: Digest username=“123456789”, realm=“myrealm.com”, algorithm=MD5, uri=“sip:fqdn.server.com”, nonce=“1bb6f5c6”, response=“4a746842d1d1070d18258
a30807d9ee2”…Expires: 120…Contact: sip:s@ip.client.x.y:5062…Content-Length: 0…

U 2017/03/08 10:14:51.423837 ip.server.w.z:5060 -> ip.client.x.y:5062
SIP/2.0 401 Unauthorized…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK194c3e3b;received=ip.client.x.y;rport=5062…From: sip:123456789@fqdn.server.com;tag=as1ac
d03e5…To: sip:123456789@fqdn.server.com;tag=as180005fa…Call-ID: 4906f33740ef98de1a879f131f4c303c@ip.client.x.y…CSeq: 1752 REGISTER…Server: AsteriskServer11…Allow: INV
ITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE…Supported: replaces, timer…WWW-Authenticate: Digest algorithm=MD5, realm=“myrealm.com
”, nonce=“156e3e06”…Content-Length: 0…
#
U 2017/03/08 10:14:51.574062 ip.client.x.y:5062 -> ip.server.w.z:5060
REGISTER sip:fqdn.server.com SIP/2.0…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK014468f3…Max-Forwards: 70…From: sip:123456789@fqdn.server.com;tag=as1acd
03e5…To: sip:123456789@fqdn.server.com…Call-ID: 4906f33740ef98de1a879f131f4c303c@ip.client.x.y…CSeq: 1753 REGISTER…Supported: replaces, timer…User-Agent: Asteri
sk PBX…Authorization: Digest username=“123456789”, realm=“myrealm.com”, algorithm=MD5, uri=“sip:fqdn.server.com”, nonce=“156e3e06”, response=“a621f2f6cd1a3a12d9314
4a68e547707”…Expires: 120…Contact: sip:s@ip.client.x.y:5062…Content-Length: 0…
#
U 2017/03/08 10:14:51.574524 ip.server.w.z:5060 -> ip.client.x.y:5062
SIP/2.0 200 OK…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK014468f3;received=ip.client.x.y;rport=5062…From: sip:123456789@fqdn.server.com;tag=as1acd03e5…To:
sip:123456789@fqdn.server.com;tag=as180005fa…Call-ID: 4906f33740ef98de1a879f131f4c303c@ip.client.x.y…CSeq: 1753 REGISTER…Server: AsteriskServer11…Allow: INVITE, ACK,
CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE…Supported: replaces, timer…Expires: 120…Contact: sip:s@ip.client.x.y:5062;expires=120…Date: We
d, 08 Mar 2017 14:14:51 GMT…Content-Length: 0…
#
U 2017/03/08 10:15:14.142686 ip.client.x.y:5062 -> ip.server.w.z:5060
INVITE sip:0900000000@fqdn.server.com:5060 SIP/2.0…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK56422026;rport…Max-Forwards: 70…From: <sip:0500000000@176.31.78.
192:5062>;tag=as583e2884…To: sip:0900000000@fqdn.server.com:5060…Contact: sip:0500000000@ip.client.x.y:5062…Call-ID: 7d73fe19722687aa39645cd848fbc53d@176.31.78.1
92:5062…CSeq: 102 INVITE…User-Agent: Asterisk PBX…Date: Wed, 08 Mar 2017 14:15:14 GMT…Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
, MESSAGE…Supported: replaces, timer…P-Asserted-Identity: sip:0500000000@ip.client.x.y…P-Preferred-Identity: sip:0500000000@ip.client.x.y;user=phone…Privacy: none.
.Content-Type: application/sdp…Content-Length: 276…v=0…o=root 1115711791 1115711791 IN IP4 ip.client.x.y…s=Asterisk PBX 13.9.1…c=IN IP4 ip.client.x.y…t=0 0…m=audi
o 11364 RTP/AVP 18 101…a=rtpmap:18 G729/8000…a=fmtp:18 annexb=no…a=rtpmap:101 telephone-event/8000…a=fmtp:101 0-16…a=ptime:20…a=maxptime:230…a=sendrecv…
#
U 2017/03/08 10:15:14.143079 ip.server.w.z:5060 -> ip.client.x.y:5062
SIP/2.0 401 Unauthorized…Via: SIP/2.0/UDP ip.client.x.y:5062;branch=z9hG4bK56422026;received=ip.client.x.y;rport=5062…From: sip:0500000000@ip.client.x.y:5062;tag=as583
e2884…To: sip:0900000000@fqdn.server.com:5060;tag=as6ddea91d…Call-ID: 7d73fe19722687aa39645cd848fbc53d@ip.client.x.y:5062…CSeq: 102 INVITE…Server: AsteriskServer11…All
ow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE…Supported: replaces, timer…WWW-Authenticate: Digest algorithm=MD5, realm=“myrealm.com”, nonce=“395369c0”…Content-Length: 0…
#

[123456789]
type=friend
defaultuser=123456789
accountcode=123456789
regexten=123456789
amaflags=billing
secret=123456789
nat=force_rport,comedia
dtmfmode=RFC2833
qualify=no
disallow=all
allow=g729
allow=gsm
host=dynamic
context=mycontext
cancallforward=yes

Here is the core set debug 99 output of the moment the invite is rejected!
I’ve tried to change nat settings, insecure=port,invite, nothingg helps !

1.2.3.4 is the ip of the client

[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] chan_sip.c: **** Received INVITE (5) - Command in SIP INVITE
[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] netsock2.c: Splitting '1.2.3.4:5062' into...
[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] netsock2.c: ...host '1.2.3.4' and port '5062'.
[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] netsock2.c: Splitting '1.2.3.4:5062' into...
[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] netsock2.c: ...host '1.2.3.4' and port ''.
[2017-03-08 16:17:55] NOTICE[133663][C-000485f9] chan_sip.c: Failed to authenticate device <sip:0500000000@1.2.3.4:5062>;tag=as216c9929
[2017-03-08 16:17:55] DEBUG[133663][C-000485f9] chan_sip.c: Trying to put 'SIP/2.0 403' onto UDP socket destined for 1.2.3.4:5062

Sending 401 occasionally is correct behaviour, to avoid re-play attacks.

Your full log does not show any errors, and your abbreviated log doesn’t show any 401s.

Here is a symptomatic sequence.

Client ----- Server
Register (with account# & nonce) =>
<= 401 Unauthorized (new nonce)
Register (with account # & new nonce, expires=120) =>
<= 200 OK
Invite (from = telephone number, contact = telephone number, no authorization field),
<= 401 Unauthorized (with new again nonce)
Invite (from = telephone number, contact = telephone number, with authorization field & nonce),

Call is placed successfully.

Later, within the 120 seconds of the initial register, another INVITE gets rejected with 401 and a new nonce. Client sends an invite with an authorization field with this new nonce, and gets a 403 Forbidden.
Console then shows a Failed to authenticate device…

I can email a pcap file, but it contains private data that I do not wish to post publicly

Thanks for your help
J